WASM Proxy
Currently WASM proxy only supported for Kubernetes workloads.
For applications utilizing WASM extensions, particularly when these extensions reside in private registries, access management and secret handling become imperative. The imagePullSecret
in Kubernetes acts as a security measure, providing the necessary credentials to ensure sidecars and gateway pods have the correct privileges to pull these extensions. As per Istio's documentation on imagePullSecret
, it is essentially a reference to a Kubernetes Secret within the same namespace as the WasmPlugin. This secret contains a docker pull secret which authenticates against the registry during the image pull. Hence, while the secrets must be established in the application's namespace, it's important to note that the application team might not inherently possess direct credentials to the private registry.
TSB WASM proxy is solving this problem by providing centralized management of secrets and access to private registries. WASM proxy is deployed in control plane namespace (usually istio-system
) and is responsible for pulling the images using the credentials provided in the control plane namespace.
Configuration Steps
-
Enable the WASM Proxy: To enable the proxy, you will need to modify the MP CR with the following configuration:
spec:
enableWasmDownloadProxy: true -
Add Secrets to the istio-system Namespace: If the WASM extensions are hosted in a private registry, ensure you add the necessary secrets to the
istio-system
namespace in the application cluster. This is to facilitate the sidecars and gateway pods in accessing and pulling the required extensions. -
Configure WasmExtension for ImagePullSecret: Once the secrets are in place, you need to configure the WasmExtension to use the secret as
imagePullSecret
. For a detailed guide and more options related to WasmExtension, refer to the documentation: WasmExtension.